Wazuh multi-node cluster
This document will go through the installation of the Wazuh server components in a multi-node cluster.
Note
You need root user privileges to run all the commands described below.
Prerequisites
Before installing the Wazuh servers and Filebeat, some extra packages must be installed:
Install all the necessary packages:
# yum install zip unzip curl
Install all the necessary packages:
# apt-get install lsb-release curl apt-transport-https zip unzip gnupg
Installing Wazuh server
The Wazuh server collects and analyzes data from deployed agents. It runs the Wazuh manager, the Wazuh API and Filebeat. The first step in setting up Wazuh is adding Wazuh repository to the servers. Alternatively, the Wazuh manager package can be downloaded directly, and compatible versions can be checked here.
Adding the Wazuh repository
This section describes how to add the Wazuh repository. It will be used for the Wazuh manager and Wazuh API installation. These steps must be followed in all the servers that will be part of the Wazuh multi-node cluster.
Import the GPG key:
# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
Add the repository:
# cat > /etc/yum.repos.d/wazuh.repo << EOF [wazuh] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=EL-\$releasever - Wazuh baseurl=https://packages.wazuh.com/4.x/yum/ protect=1 EOF
For this, the
curl
,apt-transport-https
andlsb-release
packages must be installed on the system. Thezip
package will be necessary for the certificates management. If they are not already present, they must be installed using the commands below:# apt-get update # apt-get install curl apt-transport-https lsb-release unzip
Install the GPG key:
# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg
Add the repository:
# echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
Update the package information:
# apt-get update
Installing the Wazuh manager
Install the Wazuh manager package. This step must be applied in all servers that will act as Wazuh cluster nodes:
# yum install wazuh-manager-4.5.4-1
# apt-get install wazuh-manager=4.5.4-1
Now, the Wazuh manager has been installed in all the Wazuh cluster nodes. The Wazuh manager is installed and configured in a single-node cluster by default. The following sections will describe how to configure the Wazuh manager as a Wazuh master node or Wazuh worker node.
One server has to be chosen as a master, the rest will be workers. So, the section Wazuh server master node
must be applied once, in the server chosen for this role. For all the other servers, the section Wazuh server worker node
must be applied.
Wazuh server master node
Configure the cluster node by editing the following settings in
/var/ossec/etc/ossec.conf
:<cluster> <name>wazuh</name> <node_name>master-node</node_name> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <node_type>master</node_type> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
The parameters:
Name of the cluster.
Name of the current node.
Key that will be used to encrypt communication between cluster nodes. The key must be 32 characters long and the same for all of the nodes in the cluster. You may use the following command to generate a random key:
openssl rand -hex 16
Node type (master/worker).
Destination port for cluster communication.
Network IP address to which the node will be bound to listen for incoming requests (0.0.0.0 for any IP).
The address of the master node. It must be specified in all nodes (including the master itself). The address can be either an IP or a DNS.
Shows or hides the cluster information in the generated alerts.
Indicates whether the node will be enabled or disabled in the cluster. This option must be set to
no
.Once the
/var/ossec/etc/ossec.conf
configuration file is edited, enable and start the Wazuh manager service:# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Run the following command to check if the Wazuh manager is active:
# systemctl status wazuh-manager
# service wazuh-manager status
Wazuh server worker nodes
Configure the cluster node by editing the following settings in
/var/ossec/etc/ossec.conf
:<cluster> <name>wazuh</name> <node_name>worker-node</node_name> <key>c98b62a9b6169ac5f67dae55ae4a9088</key> <node_type>worker</node_type> <port>1516</port> <bind_addr>0.0.0.0</bind_addr> <nodes> <node>wazuh-master-address</node> </nodes> <hidden>no</hidden> <disabled>no</disabled> </cluster>
As shown in the example above, the following parameters have to be edited:
Each node of the cluster must have a unique name.
Has to be set as a
worker
.The key created previously for the
master
node. It has to be the same for all the nodes.Has to contain the address of the master (it can be either an IP or a DNS).
Has to be set to
no
.Once the
/var/ossec/etc/ossec.conf
configuration file is edited, enable and start the Wazuh manager service:# systemctl daemon-reload # systemctl enable wazuh-manager # systemctl start wazuh-manager
Choose one option according to your operating system:
RPM-based operating system:
# chkconfig --add wazuh-manager # service wazuh-manager start
Debian-based operating system:
# update-rc.d wazuh-manager defaults 95 10 # service wazuh-manager start
Run the following command to check if the Wazuh manager is active:
# systemctl status wazuh-manager
# service wazuh-manager status
To verify that the Wazuh cluster is enabled and all the nodes are connected, execute the following command:
# /var/ossec/bin/cluster_control -l
An example output of the command looks as follows:
NAME TYPE VERSION ADDRESS master-node master 4.5.4 10.0.0.3 worker-node1 worker 4.5.4 10.0.0.4 worker-node2 worker 4.5.4 10.0.0.5
Note that
10.0.0.3
,10.0.0.4
,10.0.0.5
are example IPs.
Installing Filebeat
Filebeat is the tool on the Wazuh server that securely forwards alerts and archived events to Elasticsearch. It has to be installed in every Wazuh manager server.
Adding the Elastic Stack repository
Import the GPG key:
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Add the repository:
# cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Install the GPG key:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg
Add the repository:
# echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Update the package information:
# apt-get update
Filebeat installation and configuration
Install the Filebeat package:
# yum install filebeat-7.17.13
# apt-get install filebeat=7.17.13
Download the pre-configured Filebeat config file used to forward Wazuh alerts to Elasticsearch:
# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/filebeat.yml
Download the alerts template for Elasticsearch:
# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v4.5.4/extensions/elasticsearch/7.x/wazuh-template.json # chmod go+r /etc/filebeat/wazuh-template.json
Download the Wazuh module for Filebeat:
# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.2.tar.gz | tar -xvz -C /usr/share/filebeat/module
Configure Filebeat certificates:
In section Installing Elasticsearch, the
certs.zip
file was created. The file must be copied into the Wazuh server host, for example, usingscp
. This guide assumes that the file is placed in ~/ (home user folder).The
X
must be replaced with the number defined for this Wazuh server in theinstances.yml
file:# mkdir /etc/filebeat/certs/ca -p # zip -d ~/certs.zip "ca/ca.key" # unzip ~/certs.zip -d ~/certs # cp -R ~/certs/ca/ ~/certs/filebeat-X/* /etc/filebeat/certs/ # mv /etc/filebeat/certs/filebeat-X.crt /etc/filebeat/certs/filebeat.crt # mv /etc/filebeat/certs/filebeat-X.key /etc/filebeat/certs/filebeat.key # chmod -R 500 /etc/filebeat/certs # chmod 400 /etc/filebeat/certs/ca/ca.* /etc/filebeat/certs/filebeat.* # rm -rf ~/certs/ ~/certs.zip
Edit
/etc/filebeat/filebeat.yml
file:output.elasticsearch.hosts: ["<elasticsearch_ip>:9200"] output.elasticsearch.password: <elasticsearch_password>
Replace
<elasticsearch_ip>
with the IP address or the hostname of the Elasticsearch server and<elasticsearch_password>
with the previously generated password forelastic
user.output.elasticsearch.hosts: ["<elasticsearch_ip_node_1>:9200", "<elasticsearch_ip_node_2>:9200", "<elasticsearch_ip_node_3>:9200"] output.elasticsearch.password: <elasticsearch_password>
Replace
elasticsearch_ip_node_x
with the IP address or the hostname of the Elasticsearch server to connect to andelasticsearch_password
with the previously generated password forelastic
user.Enable and start the Filebeat service:
# systemctl daemon-reload # systemctl enable filebeat # systemctl start filebeat
Choose one option according to the OS used:
Debian based OS
# update-rc.d filebeat defaults 95 10 # service filebeat start
RPM based OS
# chkconfig --add filebeat # service filebeat start
To ensure that Filebeat has been successfully installed, run the following command:
# filebeat test output
Disabling repositories
This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.
With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.
We recommend disabling the repositories so that the individual packages will not be updated unintentionally, which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update
To uninstall Wazuh and Filebeat, visit the uninstalling section.
Next steps
The next step consists of installing Kibana.